User Accessed Suspicious URL Categories

SymantecProxySG
| mv-expand cs_categories
| where cs_categories has_any ("Suspicious","phishing", "hacking")
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer,  tostring(cs_categories)

queryPeriod: 1h
query: |
  SymantecProxySG
  | mv-expand cs_categories
  | where cs_categories has_any ("Suspicious","phishing", "hacking")
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer,  tostring(cs_categories)  
name: User Accessed Suspicious URL Categories
entityMappings:
- fieldMappings:
  - columnName: cs_userdn
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: Computer
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: c_ip
    identifier: Address
  entityType: IP
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SymantecProxySG/Analytic Rules/UserAccessedSuspiciousURLCategories.yaml
requiredDataConnectors:
- connectorId: SyslogAma
  datatypes:
  - Syslog
description: |
    'Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.'
kind: Scheduled
version: 1.0.5
status: Available
severity: Medium
relevantTechniques:
- T1566
- T1071
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- CommandAndControl
id: fb0f4a93-d8ad-4b54-9931-85bdb7550f90